Become the King or Queen of Your CMMC Domain

CMMC Knowledge Hub

Illustration of stairs leading to a throne

Get to know the 17 domains behind the DoD’s Cybersecurity Maturity Model Certification

As we’ve discussed in other articles, the Cybersecurity Maturity Model Certification is built on a complex framework that includes a well-documented and functionally overlapping set of processes, capabilities, practices, and controls.

But above all those elements is the concept of domains, a term you’ll be seeing quite a lot with CMMC, the certification that lets you do business with the US Department of Defense—or work with an organization that does.

As this vital DoD certification phases in over the next few years, you’ll have an advantage over your competition if you understand the main points of this article:

Defining Domains

CMMC domains encompass high-level aspects of cybersecurity, such as asset management, maintenance, and identification and authentication. Keep in mind the term “domain” in the CMMC ecosystem bears no relation to the “domains” of the World Wide Web, which are, simply put, the names of websites.

You could view CMMC’s 17 domains as the top-level organizing elements or areas of control and assessment for the certification framework. And each domain is associated with a set of required processes and capabilities that ultimately drive the 171 practices and numerous controls below them. We’ll focus strictly on domains and capabilities in this article, but you can learn more about the smaller units of CMMC in our other CMMC Knowledge Hub articles:

CMMC Knowledge Hub

When it comes to domains, it’s important to realize they apply across all levels of CMMC maturity, forming the basic conceptual starting point in a comprehensive model framework. Take a trip back to high school chemistry and think of domains as the elements of the periodic table. You mix and match different elements to varying degrees to get different chemical compounds. In this metaphor, CMMC maturity levels are those compounds.

Where did the CMMC domains come from? According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, or OUSD (A&S), most originate from “the security-related areas in Federal Information Processing Standards (FIPS) Publication 200,” as well as “the related securities requirement families from NIST SP 800-171.” They also added three domains titled Asset Management, Recovery, and Situational Awareness.

But what exactly are these domains and the capabilities associated with them?

Domains for Capabilities

The grid of CMMC domains below covers the overall aspects of security that drive the individual capabilities housed within them. But all domains don’t carry the same weight. A domain like “Maintenance,” for example, contains a single capability. The domain “Incident Response,” meanwhile, contains five of them. For a running list of all capabilities, you can reference version 1.02 of the official CMMC model.

Not every domain or its underlying capability applies to every level of CMMC certification either. For example, Level 1 and 2 of CMMC have no requirement for “Asset Management,” while Level 3 and Level 5 do. But there’s no doubt that these domains encompass every aspect of CMMC certification from the lowest level of certification to the highest.

How Domains Relate to Practices

In CMMC, domains function as a conceptual grouping mechanism, a way of understanding how comprehensively CMMC defines and assesses successful cybersecurity as you undertake ever-more-specific activities to get certified.

CMMC documentation provides detailed lists of specific required practices under each capability. For example, the “Asset Management” domain includes the capabilities of “Identify and document assets” and “Manage asset inventory.” If those capabilities sound rather vague and high-level, it’s because they are. But these capabilities encompass two separate practices in turn, each describing a concrete activity, and each encoded with a string of characters representing the two-letter domain abbreviation, the CMMC maturity level, and the practice number.

The “AM” in that practice number means “Asset Management,” while the 3 or 4 represents the level of certification the practice maps to. And because the levels are cumulative, you would in this domain alone have to achieve only the first one to achieve Level 3 but both the first and second to achieve Level 4.

Tools for Domain Mastery

Each domain encompasses specific capabilities, practices, and controls—a level of detail too complex to lay out here. And while you can download a spreadsheet containing all the detailed tables and lists for various CMMC maturity levels, the way capabilities, practices, and controls map across domains and maturity levels makes it hard to keep track of what you need to do or document. For example, the domain “Audit and Accountability” contains four capabilities that map to a total of 14 practices, with the final number dependent on the CMMC level you’re seeking.

While software can’t execute the practices required to achieve CMMC certification at the level you want, it can help you assess your current state and guide you through the steps needed to reach your CMMC goals.

Let's demo

Opportunity is knocking

See what Onspring can do for your CMMC certification plans.
Let's demo